diff --git a/CHANGES b/CHANGES
index 9cf0cbfdaf..0231eda99f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
+			not at top of zone and -o is not used. [RT #45519]
+
 4677.	[cleanup]	Split up the main function in dig to better support
 			the iOS app version. [RT #45508]
 
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
index bb64bd7139..26c86bcb5f 100644
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@@ -114,9 +114,26 @@ loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
 	check_result(result, "dns_db_create()");
 
 	result = dns_db_load2(*db, file, inputformat);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+	switch (result) {
+	case DNS_R_SEENINCLUDE:
+	case ISC_R_SUCCESS:
+		break;
+	case DNS_R_NOTZONETOP:
+		/*
+		 * Comparing pointers (vs. using strcmp()) is intentional: we
+		 * want to check whether -o was supplied on the command line,
+		 * not whether origin and file contain the same string.
+		 */
+		if (origin == file) {
+			fatal("failed loading zone '%s' from file '%s': "
+			      "use -o to specify a different zone origin",
+			      origin, file);
+		}
+		/* FALLTHROUGH */
+	default:
 		fatal("failed loading zone from '%s': %s",
 		      file, isc_result_totext(result));
+	}
 }
 
 ISC_PLATFORM_NORETURN_PRE static void
diff --git a/bin/tests/system/verify/tests.sh b/bin/tests/system/verify/tests.sh
index fa66a1619f..6066868070 100644
--- a/bin/tests/system/verify/tests.sh
+++ b/bin/tests/system/verify/tests.sh
@@ -94,5 +94,22 @@ do
 	[ $dumpit = 1 ] && cat verify.out.$n
 done
 
+n=`expr $n + 1`
+echo "I:checking error message when -o is not used and a SOA record not at top of zone is found ($n)"
+ret=0
+# When -o is not used, origin is set to zone file name, which should cause an error in this case
+$VERIFY zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1
+grep "not at top of zone" verify.out.$n > /dev/null || ret=1
+grep "use -o to specify a different zone origin" verify.out.$n > /dev/null || ret=1
+[ $ret = 0 ] || failed
+
+n=`expr $n + 1`
+echo "I:checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)"
+ret=0
+$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good > verify.out.$n 2>&1 && ret=1
+grep "not at top of zone" verify.out.$n > /dev/null || ret=1
+grep "use -o to specify a different zone origin" verify.out.$n > /dev/null && ret=1
+[ $ret = 0 ] || failed
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1